How Twitch Addresses Scalability and Authentication

Last Tuesday, the Twitch Identity team — which helps Twitch users create and manage their digital identity and owns the services that provide authentication, authorization, and user metadata management — hosted a Meetup.com event to explain just that. But we’re recapping here just for you!

First challenge: Login form load

The goal of authentication is to verify who the user is. In a typical login flow, the user supplies a password along with a username and the service validates the credentials.

The Twitch Login form used to load very slowly, as long as 10 seconds in some Asian and Pacific countries. The browser had to make a DNS request for the authentication backend, initiate a TLS connection to authentication service, make a request to load the page, and then make additional requests for more assets. Altogether, there were five round trips and over 150 KB of data transfer.

To improve load latency, the team considered a few options: prefetching, connection reuse, inlining, and lazy loading.

Ultimately, the solution relies mostly on prefetching by making the login modal part of the main page, but it employs lazy load for fetching heavy assets. As a result, the median load latency dropped as much as 20x from 4.1 sec to 0.2 sec.

Second challenge: User session validation

At the end of the login flow, the browser obtains a long-lived OAuth 2.0 access token and stores it in a cookie. This token is required for subsequent requests to the Twitch API and the corresponding downstream services.

If each service had to validate the OAuth token directly against the token dispensary, the latter would need to handle calls from multiple services for every API request. To reduce the workload, the Identity team implemented an approach that employs self-contained JSON Web Tokens (JWT).

In this approach, before forwarding the request to downstream services, the API calls a JWT Authority service, which validates the OAuth token and generates a short-lived JWT token. The latter contains a user id, scopes, and a digital signature. The API includes a JWT token in calls to all downstream services instead of an OAuth token. The services validate the digital signature in the JWT token and read the payload. This design dramatically reduces the number of requests to the token dispensary.

Check out the VOD now for the whole talk.

Future projects

The Identity team has a roadmap that extends into 2020, which includes improvements in the detection and prevention of malicious behavior, security enhancements, federated identity, service re-architecture, etc.

If you are interested in joining the team, we are currently hiring in San Francisco.